advertisement
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/enterprise/trend-micro-safe-lock.aspx
© 2014 Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Micro t-ball logo, Safe Lock, Intelligent Manager, Portable Security, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Document Part No.: SLEM26723/141016
Release Date: December 2014
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product.
Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge
Base.
Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]
.
Evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx
Table of Contents
Preface
Chapter 1: Introduction
What's New in This Version ................................................................. 1-2
Agent Features and Benefits ................................................................. 1-3
Agent Use Overview ............................................................................ 1-10
Chapter 2: Local Agent Installation
Installation Using the Command Line ...................................................... 2-11
Installer Command Line Interface Parameters ................................ 2-12
Installation Customization .................................................................. 2-13
Chapter 3: Local Agent Uninstallation
Uninstalling Agents from Windows ............................................................ 3-2
Chapter 4: Technical Support
Using the Support Portal ....................................................................... 4-2
i
Trend Micro™ Safe Lock™ Installation Guide
Speeding Up the Support Call .............................................................. 4-3
Index
ii
Preface
•
This Administrator's Guide introduces Trend Micro Safe Lock and guides administrators through installation and deployment.
•
•
Topics in this chapter include:
About the Documentation on page iii
Document Conventions on page iv
About the Documentation
Trend Micro Safe Lock documentation includes the following:
T
ABLE
1. Trend Micro Safe Lock Documentation
D
OCUMENTATION
Installation Guide
Administrator's Guide
Readme file
Knowledge Base
D
ESCRIPTION
A PDF document that discusses requirements and procedures for installing Safe Lock.
A PDF document that discusses getting started information and Safe Lock usage and management.
Contains a list of known issues. It may also contain latebreaking product information not found in the printed documentation.
An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com
Download the latest version of the PDF documents and Readme at: http://docs.trendmicro.com
iii
Trend Micro™ Safe Lock™ Installation Guide
Audience
Trend Micro Safe Lock documentation is intended for administrators responsible for
Safe Lock management, including agent installation. These users are expected to have advanced networking and server management knowledge.
Document Conventions
The following table provides the official terminology used throughout the Trend Micro
Safe Lock documentation:
T
ABLE
2. Document Conventions
C
ONVENTION
UPPER CASE
Bold
Italics
Monospace
Navigation > Path
Note
D
ESCRIPTION
Acronyms, abbreviations, and names of certain commands and keys on the keyboard
Menus and menu commands, command buttons, tabs, and options
References to other documents
Sample command lines, program code, web URLs, file names, and program output
The navigation path to reach a particular screen
For example, File > Save means, click File and then click
Save on the interface
Configuration notes
Recommendations or suggestions
Tip
Important
Information regarding required or default configuration settings and product limitations iv
C
ONVENTION
WARNING!
D
ESCRIPTION
Critical actions and configuration options v
Chapter 1
Introduction
Trend Micro Safe Lock delivers a simple, no-maintenance solution to lock down and protect fixed-function computers, helping protect businesses against security threats and increase productivity.
•
Topics in this chapter include:
About Trend Micro Safe Lock on page 1-2
1-1
Trend Micro™ Safe Lock™ Installation Guide
About Trend Micro Safe Lock
Trend Micro Safe Lock protects fixed-function computers like Industrial Control
Systems (ICS), Point of Sale (POS) terminals, and kiosk terminals from malicious software and unauthorized use. By using fewer resources and without the need for regular software or system updates, Safe Lock can reliably secure computers in industrial and commercial environments with little performance impact or downtime.
What's New in This Version
This section lists the new features and enhancements available in each release.
Trend Micro Safe Lock 2.0 Features and Enhancements
Trend Micro Safe Lock 2.0 includes the following new features and enhancements.
T
ABLE
1-1. New Features
F
EATURE
Write Protection
Integrity Monitoring
Approved List and
Trusted Updater support
Digital Signatures
Exception Path
D
ESCRIPTION
Prevents write access to all files in the Approved List and all objects (files, folders, and registry entries) in the Write
Protection List
Monitors file change events system-wide for files, folders, and the registry
Allow to loading or launching files that have pre-defined digital signatures, even if the files are not in the Approved List
Custom Action
Allow to loading or launching files in a pre-defined
“exceptions” folder without adding them to the Approved List
Takes action on blocked files, for example Ignore,
Quarantine, or Ask Server (requires Safe Lock Intelligent
Manager)
1-2
Introduction
Agent Features and Benefits
Trend Micro Safe Lock includes the following features and benefits.
Application Lockdown
By preventing programs, DLL files, drivers, and scripts not specifically on the Approved
List of applications from running (also known as application white listing), Safe Lock provides both improved productivity and system integrity by blocking malicious software and preventing unintended use.
Exploit Prevention
Known targeted threats like Downad and Stuxnet, as well as new and unknown threats, are a significant risk to ICS and kiosk computers. Systems without the latest operating system updates are especially vulnerable to targeted attacks.
Safe Lock provides both intrusion prevention, which helps prevent threats from spreading to the endpoint, and execution prevention, which helps prevent threats from spreading to the endpoint or from running.
Easy Management
When software needs to be installed or updated, the Trusted Updater and Predefined
Trusted Updater List provide an easy way to make changes to the endpoint and automatically add new or modified files to the Approved List, all without having to unlock Trend Micro Safe Lock.
Small Footprint
Compared to other endpoint security solutions that rely on large pattern files that require constant updates, application lockdown uses less memory and disk space, without the need to download updates.
1-3
Trend Micro™ Safe Lock™ Installation Guide
1-4
Role Based Administration
Trend Micro Safe Lock provides a separate administrator and Restricted User account, providing full control during installation and setup, as well as simplified monitoring and maintenance after deployment.
Graphical and Command Line Interfaces
Anyone who needs to check the software can use the console, while system administrators can take advantage of the command line interface (CLI) to access all of the features and functions available.
Trend Micro Portable Security Compatible
Out-of-the-box compatibility with Trend Micro Portable Security ensures straightforward removal of any threats that do get on to the endpoint, without the need to update the Approved List or unlock the endpoint.
Self Protection
Self Protection provides ways for Trend Micro Safe Lock to defend the processes and other resources required to function properly. Self Protection helps thwart attempts by programs or actual users to disable the software.
•
•
•
Self Protection blocks all attempts to terminate the following services:
Trend Micro Safe Lock Service ( WkSrv.exe
)
Trend Micro Unauthorized Change Prevention Service (
Trend Micro Personal Firewall ( TmPfw.exe
)
TMBMSRV.exe
)
Safe Lock Agent Requirements
This section introduces Safe Lock system requirements and upgrade limitations.
Introduction
Agent Requirements
Trend Micro Safe Lock does not have specific hardware requirements beyond those specified by the operating system, with the following exceptions:
T
ABLE
1-2. Required Hardware for Safe Lock
H
ARDWARE
/S
OFTWARE
Available disk space
Monitor resolution
D
ESCRIPTION
200MB minimum
300MB recommended
640x480
•
•
•
Important
Safe Lock cannot be installed on a system that already runs one of the following:
Trend Micro OfficeScan
Trend Micro Titanium
Another Trend Micro endpoint solution
Agent Operating Systems
See the readme file for the most up-to-date list of supported operating systems for Safe
Lock agents.
Note
Memory Randomization, API Hooking Prevention, and DLL Injection Prevention are not supported on 64-bit platforms.
1-5
Trend Micro™ Safe Lock™ Installation Guide
T
ABLE
1-3. List of Supported Operating Systems
W
INDOWS
V
ERSION
T
YPE
W
INDOWS
V
ERSION
N
AME
Windows Clients Windows 2000 SP4* (32-bit)
Note
*Without Update Rollup, this version of Windows does not support DLL/Driver Lockdown, Integrity Monitoring, and the Predefined Trusted Updater.
Windows XP SP1*/SP2/SP3 (32-bit) (except Starter and
Home editions)
Note
*This version of Windows does not support DLL/Driver
Lockdown, Integrity Monitoring, and the Predefined
Trusted Updater.
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Vista No-SP/SP1/SP2 (32-bit) (except Starter and
Home editions)
Windows 7 No-SP/SP1 (32-bit and 64-bit) (except Starter and
Home editions)
Windows 8 Enterprise No-SP (32-bit and 64-bit)
Windows 8.1 Enterprise No-SP (32-bit and 64-bit)
1-6
Introduction
W
INDOWS
V
ERSION
T
YPE
Windows Server
W
INDOWS
V
ERSION
N
AME
Windows 2000 Server SP4* (32-bit)
Note
*Without Update Rollup, this version of Windows does not support DLL/Driver Lockdown, Integrity Monitoring, and the Predefined Trusted Updater.
Windows Server 2003 SP1/SP2 (32-bit)
Note
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Server 2003 R2 No-SP/SP2 (32-bit)
Note
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Server 2008 SP1/SP2 (32-bit and 64-bit)
Windows Server 2008 R2 No-SP/SP1 (64-bit)
Windows Server 2012 No-SP (64-bit)
Windows Server 2012 R2 No-SP (64-bit)
1-7
Trend Micro™ Safe Lock™ Installation Guide
W
INDOWS
V
ERSION
T
YPE
Windows Embedded
Standard
W
INDOWS
V
ERSION
N
AME
Windows (Standard) XP Embedded SP1*/SP2 (32-bit)
Note
*This version of Windows does not support DLL/Driver
Lockdown, Integrity Monitoring, and the Predefined
Trusted Updater.
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Embedded
POSReady
Windows Embedded
Enterprise
Windows Embedded Standard 2009 (32-bit)
Windows Embedded Standard 7 (32-bit and 64-bit)
Windows Embedded Standard 8 (32-bit and 64-bit)
Windows Embedded Standard 8.1 (32-bit and 64-bit)
Windows Embedded POSReady (32-bit)
Windows Embedded POSReady 2009 (32-bit)
Windows Embedded POSReady 7 (32-bit and 64-bit)
Windows Embedded Enterprise XP SP1*/SP2/SP3 (32-bit)
Note
*This version of Windows does not support DLL/Driver
Lockdown, Integrity Monitoring, and the Predefined
Trusted Updater.
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Embedded Enterprise Vista (32-bit)
Windows Embedded Enterprise 7 (32-bit and 64-bit)
1-8
Introduction
W
INDOWS
V
ERSION
T
YPE
Windows Embedded
Server
W
INDOWS
V
ERSION
N
AME
Windows Embedded Server 2003 SP1/SP2 (32-bit)
Note
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Embedded Server 2003 R2 (32-bit)
Note
Safe Lock does not support a custom action of
“quarantine” on Windows XP or Windows 2003.
Windows Embedded Server 2008 (32-bit and 64-bit)
Windows Embedded Server 2008 R2 (64-bit)
Windows Embedded Server 2012 (64-bit)
Windows Embedded Server 2012 R2 (64-bit)
Agent Upgrade Preparation
WARNING!
Depending on the installation method you select, Safe Lock versions require different preparation before upgrading.
Before upgrading, take the appropriate action below for your installation method and installed Safe Lock agent version:
1-9
Trend Micro™ Safe Lock™ Installation Guide
T
ABLE
1-4. Upgrade Actions Required by Installation Method and Installed Agent
Version
I
NSTALLATION
M
ETHOD
Local installation using Windows
Installer
Local installation using Command
Line Interface Installer
Remote
I
NSTALLED
A
GENT
V
ERSION
1.0
1.1
2.0 or later
1.0
1.1
2.0 or later
1.0
1.1
2.0 or later
R
EQUIRED
A
CTION
S
R
ETTINGS
ETAINED
No preparation needed
No preparation needed
No preparation needed
No settings retained
Compatible settings retained
No settings retained
Manually uninstall No settings retained
No preparation needed
Compatible settings retained
Manually uninstall No settings retained
Manually uninstall No settings retained
Manually uninstall No settings retained
Manually uninstall No settings retained
Agent Use Overview
Trend Micro Safe Lock is a whitelist solution that locks down computers, preventing all applications not on the Approved List from running. Safe Lock can be configured and maintained using the graphical user interface (GUI) agent console or the command line interface (CLI). System updates can be applied without turning off Application
Lockdown at the endpoint through the Predefined Trusted Updater List or by using the
Trusted Updater.
1-10
Introduction
Consider this typical use case scenario:
1.
Set up the Approved List and turn on Application Lockdown on the endpoint so that unapproved applications cannot be run.
2.
Use the Trusted Updater to update or install software whose installer is not on the
Predefined Trusted Updater list.
3.
Configure and enable the Restricted User account for later maintenance.
If someone tries to run an application not specifically on the Approved List, the following message displays:
F
IGURE
1-1. Trend Micro Safe Lock blocking message
1-11
Chapter 2
Local Agent Installation
This chapter describes local Trend Micro Safe Lock agent installation and setup procedures.
•
•
•
•
Topics in this chapter include:
Local Installation Overview on page 2-2
Installing from Windows on page 2-2
Setting Up the Approved List on page 2-8
Installation Using the Command Line on page 2-11
2-1
Trend Micro™ Safe Lock™ Installation Guide
Local Installation Overview
Trend Micro Safe Lock can be installed using either the Windows Installer or the command line interface (CLI) installer.
WARNING!
Depending on the installation method you select, Safe Lock versions require different preparation before upgrading. See
Agent Upgrade Preparation on page 1-9 for more
information.
T
ABLE
2-1. Safe Lock Local Installation Methods
I
NSTALLATION
M
ETHOD
Windows Installer
Command line interface installer
B
ENEFITS
The Windows Installer provides simplified step-by-step installation wizard for first-time or single installation. Also suitable for preparing for mass deployment for cloned computer systems.
The command line interface (CLI) installer provides silent installation and can be integrated into a batch file for mass deployment.
Installing from Windows
To install Trend Micro Safe Lock, you must log on using an account with administrator privileges.
Procedure
1.
Double-click Setup.exe
.
If a User Account Control warning from Windows appears, click Yes.
2-2
Local Agent Installation
2-3
Trend Micro™ Safe Lock™ Installation Guide
2.
When the installation wizard opens, click Next.
Note
If there is another version of Safe Lock on the endpoint, the installer will remove it before installing the latest version.
3.
Read the license agreement, select I accept the terms in the License Agreement, and click Next.
2-4
4.
Make any necessary changes to the installation options, and click Next.
Important
Network Virus Protection can only be installed during the initial program installation and can be disabled after installation if necessary. See Exploit Prevention Settings in the Administrator's Guide for more information.
Local Agent Installation
5.
Provide the Activation Code and specify an administrator password for Trend
Micro Safe Lock.
Note
The password must be 8 to 64 alphanumeric characters. The following characters are not supported: | > < \ " spaces. The Safe Lock administrator password is unrelated to the Windows administrator password.
2-5
Trend Micro™ Safe Lock™ Installation Guide
2-6
WARNING!
Do not forget the Safe Lock administrator password. The only way to recover after losing the Safe Lock administrator password is by reinstalling the operating system.
6.
Click Next.
Local Agent Installation
A message appears asking if you would like to scan the endpoint for threats before continuing with the installation.
7.
Optionally, scan the endpoint for threats before continuing with the installation.
Trend Micro recommends you perform this scan.
• To scan the endpoint for threats, click Scan.
a.
The Endpoint Prescan window appears.
b.
To customize the scan settings, click Edit Scan Settings.
c.
Click Scan Now.
If Endpoint Prescan detects security risks, Trend Micro recommends canceling the installation. Remove threats from the endpoint and try again. If critical programs are detected as threats, confirm that the endpoint is secure and that the versions of the programs installed do not contain threats. Ignore detected threats only if you are absolutely certain that they are false positives.
• To skip scanning, click Do Not Scan.
8.
When the Installation Complete window displays, click Finish.
2-7
Trend Micro™ Safe Lock™ Installation Guide
Note
While restarting the endpoint after installation is not necessary, memory randomization will not be enabled until the endpoint is restarted. See Exploit
Prevention Settings in the Administrator's Guide for more information.
Setting Up the Approved List
Before Trend Micro Safe Lock can protect the endpoint, it must check the endpoint for existing applications and installers necessary for the system to run correctly.
Procedure
1.
Open the Safe Lock console.
2-8
The Safe Lock log on screen appears.
Local Agent Installation
2.
Provide the password and click Login.
Safe Lock asks if you want to set up the Approved List now.
3.
At the notification window, select Yes. Set up the Approved List now and click
OK.
2-9
Trend Micro™ Safe Lock™ Installation Guide
Safe Lock scans the endpoint and adds all applications to the Approved List.
2-10
Safe Lock displays the Approved List Configuration Results.
Local Agent Installation
Note
When Trend Micro Safe Lock Application Lockdown is on, only applications that are in the Approved List will be able to run.
4.
Click Close.
Installation Using the Command Line
Administrators can install Safe Lock from the command line interface (CLI) or using a batch file, allowing for silent installation and mass deployment. For mass deployment,
2-11
Trend Micro™ Safe Lock™ Installation Guide
Trend Micro recommends first installing Safe Lock on a test computer since a customized installation may require a valid configuration file and Approved List. See the
Trend Micro Safe Lock Administrator's Guide for more information about the
Approved List and configuration file.
Installer Command Line Interface Parameters
The following table lists the commands available for Setup.exe
.
T
ABLE
2-2. Safe Lock Installer Command Line Options
P
ARAMETER
V
ALUE
D
ESCRIPTION
-q Run the installer silently
-p
-d
<administrator_ password>
<path>
Specify the administrator password
Specify the installation path
-ac
-nd
<activation_cod e>
Specify the activation code
Do not create a desktop shortcut
-ns Do not add a shortcut to the Start menu
-ni
-nfw
Hide the task tray icon
Disable the network antivirus function
-cp <path> Specify the Safe Lock configuration file
Note
The Safe Lock configuration file can be exported after installing Safe Lock.
2-12
Local Agent Installation
P
ARAMETER
-lp
V
ALUE
<path>
D
ESCRIPTION
Specify the Approved List
Note
After installing Safe Lock and creating the
Approved List, the list can be exported.
-qp
-nrca
-nps
-ips
<path> Specify the folder path for quarantined files when custom action is set to “quarantine” mode.
Disable the Root Cause Analysis (RCA) report
Do not execute Prescan
Do not cancel installation when Prescan detects threats
An example command line interface (CLI) install would look like this: setup.exe -q -ac XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX -p
P@ssW0Rd -nd
Important
An administrator password and Activation Code must be specified for the installation to continue.
Installation Customization
To change the default installation parameters, create a text file called setup.ini
in the same folder as setup.exe
. The following table lists the commands available for setup.ini
. If no value is specified in the setup file, the default value will be used.
Note
Arguments specified at the command line interface (CLI) take higher priority than the setup file, which takes higher priority over the default values. For example, if the switch nd is added to setup.exe
, and setup.ini
contains NO_DESKTOP=0 , the switch will take precedence, and a Safe Lock desktop shortcut will not be created.
2-13
Trend Micro™ Safe Lock™ Installation Guide
2-14
T
ABLE
2-3. Setup.ini File [Property] Section Arguments
K
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
E
NCRYPT
<empty> No
ED
-
ACTIVATION_CODE
NO_DESKTOP
NO_STARTMENU
NO_SYSTRAY
NO_NSC
CONFIG_PATH
LIST_PATH
APPLICATIONFOLDER
MANAGED_MODE
PASSWORD
Activation Code <activation_code>
Create a shortcut on desktop
Create a shortcut in the
Start menu
•
•
•
• 1 : Do not create shortcut
0 : Create shortcut
1 : Do not create shortcut
0 : Create shortcut
Display the system tray icon and Windows notifications
Install firewall
Approved List path for import
Installation path for agent program
•
•
•
•
Configuration file path
<path>
<path>
1 : Do not create system tray icon
0 : Create system tray icon
1 : Do not create firewall
0 : Create firewall
<path>
0
0
0
0
<empty>
<empty>
<empty>
No
No
No
No
No
No
No
Specify if Safe
Lock is managed by the Safe Lock
Intelligent
Manager server
•
•
Password which is used for
SLCmd.exe
and
0 : Standalone mode
1 : Managed mode
<password>
0
<empty>
No
No
Local Agent Installation
K
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
CUSTOM_ACTION
Safe Lock console
Custom action for blocked events
•
•
• 0 : Ignore
1 : Quarantine
2 : Ask server
<path> QUARANTINE_FOLDER
_PATH
ROOT_CAUSE_ANALYS
IS
INTEGRITY_MONITOR
PRESCAN
Quarantine path for agent program
Enable Root
Cause Analysis reporting
Enable Integrity
Monitor
Prescan the endpoint before installing Safe
Lock
•
•
•
•
0 : Disable
Other value:
Enable
0 : Disable
Other value:
Enable
•
•
1 : Prescan the endpoint
0 : Do not prescan the endpoint
Positive integer MAX_EVENT_DB_SIZE
WEL_SIZE
WEL_RETENTION
Maximum database file size (MB)
Windows Event
Log size (KB)
Windows Event
Log option when maximum event log size is reached on
Windows Event
Log.
Positive integer
•
•
For Windows XP or earlier platforms:
0 : Overwrite events as needed
1 - 365 : Overwrite events older than
(1-365) days
0 No
<empty> No
1
0
1
1024
1024
0
No
No
No
No
No
No
2-15
Trend Micro™ Safe Lock™ Installation Guide
2-16
K
EY
WEL_IN_SIZE
WEL_IN_RETENTION
D
ESCRIPTION
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
•
•
• -1 : Do not overwrite events
(Clear logs manually)
•
For Windows Vista or later platforms:
0 : Overwrite events as needed
(oldest events first)
1 : Archive the log when full, do not overwrite events
-1 : Do not overwrite events
(Clear logs manually)
Positive integer Windows Event
Log size for
Integrity Monitor events (KB)
Windows Event
Log option when maximum event log size for
Integrity Monitor events is reached on
Windows Event
Log.
•
For Windows XP or earlier platforms:
0 : Overwrite events as needed
•
•
1 - 365 : Overwrite events older than
(1-365) days
-1 : Do not overwrite events
(Clear logs manually)
For Windows Vista or later platforms:
1024
0
E
NCRYPT
-
ED
No
No
Local Agent Installation
K
EY
SILENT_INSTALL
D
ESCRIPTION
Execute installation in silent mode
•
•
•
•
•
P
OSSIBLE
V
ALUES
0 : Overwrite events as needed
(oldest events first)
1 : Archive the log when full, do not overwrite events
-1 : Do not overwrite events
(Clear logs manually)
1 : Use silent mode
0 : Do not use silent mode
0
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
No
Important
To use silent mode, you must also specify the ACTIVATION_CODE and PASSWORD keys and values.
For example:
[PROPERY]
ACTIVATION_CODE=XX-XXXX-XXX
XX-XXXXX-XXXXX-XXXXX-XXXXX
PASSWORD=P@ssW0Rd
SILENT_INSTALL=1
T
ABLE
2-4. Setup.ini File [Server] Section Arguments
K
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
HOSTNAME Server host name
<host_name>
D
EFAULT
V
ALUE
E
NCRYPT
<empty> No
ED
-
2-17
Trend Micro™ Safe Lock™ Installation Guide
2-18
K
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
E
NCRYPT
<empty> No
ED
-
PORT_FAST
PORT_SLOW
CERT
Server listen port for fast lane
1 - 65535
Server listen port for slow lane
1 - 65535
Certificate file name
API key
<certificate_file_name
>
<API_key>
<empty> No
<empty> No
API_KEY <empty> No
T
ABLE
2-5. Setup.ini File [Agent] Section Arguments
PORT
K
EY
SSL_ALLOW_BEAST
D
ESCRIPTION
P
OSSIBLE
V
ALUES
Agent listening port
Handles possible security flaws in SSL3 and TLS 1.0
protocols for
BEAST attacks
•
•
1 - 65535
0 : Protect against
BEAST attacks
<other_value>:
Do not implement any security workarounds for
BEAST vulnerabilities
1
D
EFAULT
V
ALUE
E
NCRYPT
<empty> No
ED
-
No
T
ABLE
2-6. Setup.ini File [Message] Section Arguments
K
EY
REGISTER_TRIGGER
D
ESCRIPTION
Register message trigger
UNREGISTER_TRIGGE
R
Unregister message trigger
•
•
•
•
P
OSSIBLE
V
ALUES
1 : Immediately
2 : On demand
1 : Immediately
2 : On demand
1
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
No
1 No
Local Agent Installation
K
EY
D
ESCRIPTION
UPDATESTATUS_TRIG
GER
Update status message trigger
•
•
•
•
P
OSSIBLE
V
ALUES
1
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
No
UPLOADBLOCKEDEVEN
T_TRIGGER
CHECKFILEHASH_TRI
GGER
Upload blocked event message trigger
Check file hash message trigger
QUICKSCANFILE_TRI
GGER
Quick scan file message trigger
•
•
•
•
1 : Immediately
2 : On demand
1 : Immediately
2 : On demand
1 : Immediately
2 : On demand
1 : Immediately
2 : On demand
1
1
1
T
ABLE
2-7. Setup.ini File [MessageRandomization] Section Arguments
K
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
TOTAL_GROUP_NUM
OWN_GROUP_INDEX
TIME_PERIOD
Number of groups controlled by the server controls
Index of group which this agent belongs to
Maximum amount of time agents have to upload data (in seconds)
0 - 2147483647
0 - 2147483647
0 - 2147483647
0
0
0
No
No
No
E
NCRYPT
-
ED
No
No
No
Note
Safe Lock agents respond as soon as possible to direct requests from Safe Lock Intelligent
Manager.
2-19
Trend Micro™ Safe Lock™ Installation Guide
2-20
T
ABLE
2-8. Setup.ini File [Proxy] Section Arguments
MODE
K
HOSTNAME
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
Proxy mode
•
•
•
0 : No proxy used
1 : Proxy used with manual settings
2 : Proxy used with settings retrieved from Internet
Explorer automatically
0
Proxy host name <host_name>
No
<empty> No
PORT
USERNAME
PASSWORD
Proxy port 1 - 65535
Proxy user name <user_name>
Proxy password <password>
<empty> No
<empty> No
<empty> No
T
ABLE
2-9. Setup.ini File [PreScan] Section Arguments
K
EY
IGNORE_THREAT
D
ESCRIPTION
Cancel installation after detecting malware threat during prescan
•
•
P
OSSIBLE
V
ALUES
0 : Cancel
1 : Continue installation after detecting malware threat during prescan
0
D
EFAULT
V
ALUE
Note
Only valid during silent installation s.
E
NCRYPT
-
ED
No
REPORT_FOLDER An absolute folder path
• <folder_path> <empty> No
Local Agent Installation
K
EY
SCAN_TYPE
D
ESCRIPTION where prescan result reports are saved.
•
The type of scan executed during silent installation
Note
The selected value is used as the default value for a
UI
.
installation
•
•
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
<empty>: Defaults to %windir%\temp
\prescan\log
Full : Scan all folders on the endpoint.
•
Quick : Scans the following folders:
Fixed root drives
For example:
Full
•
•
•
• c:\ d:\
System root folder
For example, c:\Windows
System folder
For example, c:\Windows
\System
System32 folder
For example, c:\Windows
\System32
Driver folder
For example, c:\Windows
\System32\D rivers
E
NCRYPT
-
ED
No
2-21
Trend Micro™ Safe Lock™ Installation Guide
2-22
K
EY
D
ESCRIPTION
P
OSSIBLE
V
ALUES
•
•
•
Temp folder
For example, c:\Users
\Trend
\AppData
\Local\Temp
Desktop folder including sub folders and files
For example, c:\Users
\Trend
\Desktop
Specific : Scan folders specified with
SPECIFIC_FOLDER entries
1 - 20 2
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
No COMPRESS_LAYER
SCAN_REMOVABLE_DR
IVE
The number of compressed layers to scan when a compressed file is scanned.
Scan removable drives
SPECIFIC_FOLDER An absolute folder path to scan when the
•
•
1 : Scan removable drives
<other_value>:
Do not scan removable drives
<folder_path>
Multiple folders can be specified by creating
0 No
<empty> No
Local Agent Installation
K
EY
EXCLUDED_FILE
EXCLUDED_FOLDER
D
ESCRIPTION scan type is
[Specific]
An absolute file path to exclude from scanning
An absolute folder path to exclude from scanning
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
E
NCRYPT
-
ED new entries whose name starting with
SPECIFIC_FOLDER .
Every entry name needs to be unique.
For example:
SPECIFIC_FOLDER=c:
\folder1
SPECIFIC_FOLDER2=c
:\folder2
SPECIFIC_FOLDER3=c
:\folder3
<file_path>
Multiple files can be specified by creating new entries whose name starting with
EXCLUDED_FILE . Every entry name needs to be unique.
For example:
<empty> No
EXCLUDED_FILE=c:
\file1.exe
EXCLUDED_FILE2=c:
\file2.exe
EXCLUDED_FILE3=c:
\file3.exe
<folder_path>
Multiple folders can be specified by creating new entries whose name starting with
EXCLUDED_FOLDER .
<empty> No
2-23
Trend Micro™ Safe Lock™ Installation Guide
2-24
K
EY
D
ESCRIPTION
EXCLUDED_EXTENSIO
N
A file extension to exclude from scanning
P
OSSIBLE
V
ALUES
D
EFAULT
V
ALUE
E
NCRYPT
-
ED
Every entry name needs to be unique.
For example:
EXCLUDED_FOLDER=c:
\file1.exe
EXCLUDED_FOLDER2=c
:\file2.exe
EXCLUDED_FOLDER3=c
:\file3.exe
<file_extension>
Multiple extensions can be specified by creating new entries whose name starting with
EXCLUDED_EXTENSION .
Every entry name needs to be unique.
For example:
EXCLUDED_EXTENSION
=bmp
EXCLUDED_EXTENSION
2=png
<empty> No
Example Setup.ini File
The following is an example of setup.ini
file syntax:
[Property]
ACTIVATION_CODE=XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
NO_SYSTRAY=1
LIST_PATH=c:\temp\list.db
Chapter 3
Local Agent Uninstallation
This chapter describes Trend Micro Safe Lock agent uninstallation procedures.
•
Topics in this chapter include:
Uninstalling Agents from Windows on page 3-2
3-1
Trend Micro™ Safe Lock™ Installation Guide
Uninstalling Agents from Windows
Note
The Safe Lock administrator password is required to uninstall the software from the endpoint.
3-2
Procedure
1.
On an endpoint with the Safe Lock agent installed, launch Trend Micro Safe Lock
Setup.
Depending on your operating system, do one of the following:
O
PTION
•
•
•
•
•
If you use one of the following operating systems:
Windows Server 2012
Windows Server 2008
Windows 8
Windows 7
Windows Vista
•
•
•
If you use one of the following operating systems:
Windows Server 2003
Windows XP
Windows 2000
D
ESCRIPTION a.
Go to Start > Control Panel >
Uninstall a program.
b.
In the list, double-click Trend Micro
Safe Lock.
a.
Go to Start > Control Panel > Add
or Remove Programs.
b.
In the list, select Trend Micro Safe
Lock.
c.
Click Remove.
Safe Lock Setup opens in uninstaller mode.
2.
After Safe Lock Setup opens, click Next.
3.
Provide the Safe Lock administrator password, and click Next.
4.
After the software is finished uninstalling, click Finish.
Local Agent Uninstallation
3-3
Chapter 4
Technical Support
This chapter describes how to find solutions online, use the Support Portal, and contact
Trend Micro.
•
•
•
•
Topics include:
Troubleshooting Resources on page 4-2
Contacting Trend Micro on page 4-3
4-1
Trend Micro™ Safe Lock™ Installation Guide
Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend Micro online resources.
Using the Support Portal
The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems.
Procedure
1.
Go to http://esupport.trendmicro.com
.
2.
Select a product or service from the appropriate drop-down list and specify any other related information.
The Technical Support product page appears.
3.
Use the Search Support box to search for available solutions.
4.
If no solution is found, click Submit a Support Case from the left navigation and add any relevant details, or submit a support case here: http://esupport.trendmicro.com/srf/SRFMain.aspx
A Trend Micro support engineer investigates the case and responds in 24 hours or less.
Trend Community
To get help, share experiences, ask questions, and discuss security concerns with other users, enthusiasts, and security experts, go to: http://community.trendmicro.com/
4-2
Technical Support
Contacting Trend Micro
In the United States, Trend Micro representatives are available by phone, fax, or email:
Address
Phone
Fax
Website
Email address
Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014
Toll free: +1 (800) 228-5651 (sales)
Voice: +1 (408) 257-1500 (main)
+1 (408) 257-2003 http://www.trendmicro.com
•
•
Worldwide support offices: http://www.trendmicro.com/us/about-us/contact/index.html
Trend Micro product documentation: http://docs.trendmicro.com
Related information
➥
Speeding Up the Support Call
•
•
•
•
•
•
To improve problem resolution, have the following information available:
Steps to reproduce the problem
Appliance or network information
Computer brand, model, and any additional hardware connected to the endpoint
Amount of memory and free hard disk space
Operating system and service pack version
Endpoint agent version
4-3
Trend Micro™ Safe Lock™ Installation Guide
•
•
• Serial number or activation code
Detailed description of install environment
Exact text of any error message received
Other Resources
In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends.
Related information
➥
➥
➥
TrendEdge
Find information about unsupported, innovative techniques, tools, and best practices for Trend Micro products and services. The TrendEdge database contains numerous documents covering a wide range of topics for Trend Micro partners, employees, and other interested parties.
See the latest information added to TrendEdge at: http://trendedge.trendmicro.com/
Download Center
From time to time, Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: http://www.trendmicro.com/download/
4-4
Technical Support
If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions.
TrendLabs
TrendLabs℠ is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery.
Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services.
TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements.
Learn more about TrendLabs at: http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/ index.html#trendlabs
About Trend Micro
As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtualized, and cloud environments.
As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: http://www.trendmicro.com
4-5
Trend Micro™ Safe Lock™ Installation Guide
Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro
Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.
4-6
Index
A agent installer
command line interface,
overview,
Setup.ini,
Setup.ini arguments,
Windows Installer,
agents,
operating systems, 1-5 system requirements, 1-5
Application Lockdown,
Approved List
D documentation,
E
Exploit Prevention,
I installation customization,
installer. See agent installer
N
Network Virus Protection,
O operating systems. See agents, operating systems
R requirements. See agents, system requirements
S
Safe Lock. See agents
Self Protection,
system requirements. See agents, system requirements
T
Trend Micro Portable Security,
U uninstallation. See agents, uninstallation upgrading. See agent installer, upgrade preparation
IN-1
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 5 Table of Contents
- 7 Preface
- 7 About the Documentation
- 8 Audience
- 8 Document Conventions
- 11 Chapter 1: Introduction
- 12 About Trend Micro Safe Lock
- 12 What's New in This Version
- 12 Trend Micro Safe Lock 2.0 Features and Enhancements
- 13 Agent Features and Benefits
- 13 Application Lockdown
- 13 Exploit Prevention
- 13 Easy Management
- 13 Small Footprint
- 14 Role Based Administration
- 14 Graphical and Command Line Interfaces
- 14 Trend Micro Portable Security Compatible
- 14 Self Protection
- 14 Safe Lock Agent Requirements
- 15 Agent Requirements
- 15 Agent Operating Systems
- 19 Agent Upgrade Preparation
- 20 Agent Use Overview
- 23 Chapter 2: Local Agent Installation
- 24 Local Installation Overview
- 24 Installing from Windows
- 30 Setting Up the Approved List
- 33 Installation Using the Command Line
- 34 Installer Command Line Interface Parameters
- 35 Installation Customization
- 46 Example Setup.ini File
- 47 Chapter 3: Local Agent Uninstallation
- 48 Uninstalling Agents from Windows
- 51 Chapter 4: Technical Support
- 52 Troubleshooting Resources
- 52 Using the Support Portal
- 52 Trend Community
- 53 Contacting Trend Micro
- 53 Speeding Up the Support Call
- 54 Other Resources
- 54 TrendEdge
- 54 Download Center
- 55 TrendLabs
- 55 About Trend Micro
- 57 Index